Overview

overview

10

Static

static

10

3590c6d415...d.xlsm

windows7-x64

10

3590c6d415...d.xlsm

windows10-2004-x64

10

Analysis

  • max time kernel
    139s
  • max time network
    141s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    20-11-2024 21:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3590c6d4154359633d88e5522d38f6f9d06bab4228821f9d9e6dcf245e03e55d.xlsm

  • Size

    40KB

  • MD5

    c95665538e966898005cadaa2eb5abef

  • SHA1

    d10b4216c7a146861aea4d63d3fc5787684a6d2b

  • SHA256

    3590c6d4154359633d88e5522d38f6f9d06bab4228821f9d9e6dcf245e03e55d

  • SHA512

    3d54b40fb0336ffbac3d425b9fcb58e896e0398684ebd7eaae8c572b89ea107cc7c83ede5720264a9c4e1d5733381f817f7f4e48eaa4159e2d7dabf104e6be41

  • SSDEEP

    768:itby3nCsqi1O3mnOzyKfcrND59V+L9Rw4eWrXcTqy0y3:abunC5iymqylND59V4jwmXc2Xy3

Score
10/10
discovery

Malware Config

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

http://foroviviendaparaguay.com/wp-admin/hx8U6XMffnkv8HI2Oig/

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\3590c6d4154359633d88e5522d38f6f9d06bab4228821f9d9e6dcf245e03e55d.xlsm
    1⤵
    • System Location Discovery: System Language Discovery
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2480
    • C:\Windows\SysWow64\regsvr32.exe
      C:\Windows\SysWow64\regsvr32.exe -s ..\xda.ocx
      2⤵
      • Process spawned unexpected child process
      • System Location Discovery: System Language Discovery
      PID:2820

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\xda.ocx
    Filesize

    1KB

    MD5

    2f735f81f4cbf5ca1df7759d2aee1484

    SHA1

    f57205cb5da51943afb9752ef5442284a2fca1f9

    SHA256

    a71382e2eb06999fc9a86150dde5f8b29f2237202088fb6e0df38e1710422434

    SHA512

    558a000ad435020bb8ee0f2a57bb1342eff1df67f4a5ff7889d65da4787110171c7aaacb34103f1992fc197e9f419af05d89848e300f4143b068bd776c726d51

    Download Submit

  • memory/2480-1-0x000000007296D000-0x0000000072978000-memory.dmp

    Filesize

    44KB

    Download

  • memory/2480-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2480-9-0x000000007296D000-0x0000000072978000-memory.dmp

    Filesize

    44KB

    Download